data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 9 Projects 1 Releases Wiki Activity

Firewall (UFW) #107

Merged
samsapti merged 3 commits from :main into main 2022-11-22 20:05:01 +00:00
Conversation 6 Commits 3 Files changed 4 +28
4 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
deploy.sh
View file

@ -2,6 +2,11 @@
BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then
echo "Installing community modules"
ansible-galaxy collection install community.general
fi
if [ -z "$1" ]; then
echo "Deploying all!"
$BASE_CMD

1
roles/ubuntu_base/tasks/base.yml
View file

@ -9,6 +9,7 @@
- apparmor
- haveged
- mosh
- ufw
- srvadmin-all # Dell OpenManage
- name: Install necessary packages via pip

20
roles/ubuntu_base/tasks/firewall.yml Normal file
View file

@ -0,0 +1,20 @@
---
- name: Setup firewall with UFW
community.general.ufw:
state: enabled
policy: deny
- name: Allow necessary ports
community.general.ufw:
rule: allow
port: "{{ item }}"
samsapti marked this conversation as resolved
reynir commented 2022-11-12 18:48:25 +00:00
Review
Copy link

Udp? Tcp? Both?

Udp? Tcp? Both?
samsapti commented 2022-11-13 13:07:16 +00:00
Review
Copy link

Do any of the services need UDP? Otherwise I can set them all to allow TCP only.

Do any of the services need UDP? Otherwise I can set them all to allow TCP only.
reynir commented 2022-11-13 15:57:40 +00:00
Review
Copy link

I think we may need UDP to receive responses to DNS requests. Otherwise I don't think we use UDP. My question was also what protocol(s) this covers.

I think we may need UDP to receive responses to DNS requests. Otherwise I don't think we use UDP. My question was also what protocol(s) this covers.
samsapti commented 2022-11-13 16:50:58 +00:00
Review
Copy link

Default is both.

Default is both.
samsapti commented 2022-11-13 17:02:46 +00:00
Review
Copy link

I think we may need UDP to receive responses to DNS requests.

No, firewall is only for blocking incoming requests. Responses to outgoing requests are not affected.

> I think we may need UDP to receive responses to DNS requests. No, firewall is only for blocking incoming requests. Responses to outgoing requests are not affected.
reynir commented 2022-11-13 20:05:09 +00:00
Review
Copy link

Yes, but you need to listen for the response :-)

Yes, but you need to listen for the response :-)
samsapti commented 2022-11-13 20:51:18 +00:00
Review
Copy link

Still, DNS requests work even if UFW blocks UDP, since it only blocks incoming requests. A DNS response is not a request ;)

Still, DNS requests work even if UFW blocks UDP, since it only blocks incoming _requests_. A DNS response is not a request ;)
reynir commented 2022-11-14 09:24:07 +00:00
Review
Copy link

Well, UDP is connectionless and doesn't know about requests and responses. The reply is sent to the sender on the sending port. It may be that the rule generated by ufw tracks the state and allows replies, but it is not immediately obvious from these invocations.

For other UDP uses it may not be desirable: for example, if the datagrams are metrics reports we don't expect a reply and it would be undesirable to allow incoming packets in that case.

Well, UDP is connectionless and doesn't know about requests and responses. The reply is sent to the sender on the sending port. It may be that the rule generated by ufw tracks the state and allows replies, but it is not immediately obvious from these invocations. For other UDP uses it may not be desirable: for example, if the datagrams are metrics reports we don't expect a reply and it would be undesirable to allow incoming packets in that case.
samsapti commented 2022-11-14 16:03:43 +00:00
Review
Copy link

You're right, perhaps I wasn't clear enough. Yes, Iptables/Nftables (which is UFW's backend(s)) tracks the state, and thus allows replies. It will only block clients trying to connect to the denied port on the host, even if a service is listening on the port (but not in the case of Docker described below). Unless you deny outgoing traffic, DNS lookups will work fine.

Also, I've never had problems with UFW blocking DNS lookups with this configuration.

You're right, perhaps I wasn't clear enough. Yes, Iptables/Nftables (which is UFW's backend(s)) tracks the state, and thus allows replies. It will only block clients trying to connect to the denied port on the host, even if a service is listening on the port (but not in the case of Docker described below). Unless you deny outgoing traffic, DNS lookups will work fine. Also, I've never had problems with UFW blocking DNS lookups with this configuration.
samsapti commented 2022-11-15 19:42:54 +00:00
Review
Copy link

I've changed it such that it only allows TCP on the specified ports.

I've changed it such that it only allows TCP on the specified ports.
loop:
- "22/tcp" # Gitea SSH
- "80/tcp" # HTTP
- "443/tcp" # HTTPS
- "389/tcp" # OpenLDAP
samsapti marked this conversation as resolved Outdated
reynir commented 2022-11-12 18:55:21 +00:00
Outdated
Review
Copy link

I'm not sure we actually want to expose ldap

I'm not sure we actually want to expose ldap
samsapti commented 2022-11-13 13:12:00 +00:00
Outdated
Review
Copy link

Why is that? Do we only need it to be reachable internally on the host? If so, we should then also prefix the ports with 127.0.0.1: in the container config. Or if the only thing that needs to communicate with it is phpldapadmin, it shouldn't expose ports at all since they're on the same Docker network. If that's the case, I can fix it in another PR.

Why is that? Do we only need it to be reachable internally on the host? If so, we should then also prefix the ports with `127.0.0.1:` in the container config. Or if the only thing that needs to communicate with it is `phpldapadmin`, it shouldn't expose ports at all since they're on the same Docker network. If that's the case, I can fix it in another PR.
reynir commented 2022-11-13 15:59:29 +00:00
Outdated
Review
Copy link

Yes, I think it's only used internally. Whether we have configured things correctly to use internal networks is another question. I don't know all that much about LDAP, and especially regarding security considerations, but I think we probably don't want to expose it. Maybe @valberg has an opinion.

Yes, I think it's only used internally. Whether we have configured things correctly to use internal networks is another question. I don't know all that much about LDAP, and especially regarding security considerations, but I think we probably don't want to expose it. Maybe @valberg has an opinion.
- "636/tcp" # OpenLDAP
- "25/tcp" # Email
- "465/tcp" # Email
- "587/tcp" # Email
- "993/tcp" # Email
- "19022/tcp" # SSH

2
roles/ubuntu_base/tasks/main.yml
View file

@ -7,4 +7,6 @@
tags: [install-base-packages]
- import_tasks: users.yml
tags: [setup-users]
- import_tasks: firewall.yml
tags: [setup-firewall]